search

mrparkers / terraform-provider-keycloak

Terraform provider for Keycloak
https://registry.terraform.io/providers/mrparkers/keycloak/latest/docs
MIT License
592 stars 291 forks source link

PKCE empty value can not be set to empty #197

Closed dlechevalier closed 4 years ago

dlechevalier commented 4 years ago

Hi @mrparkers , thanks for the great job on this provider!

Found an issue with values available for pkce_code_challenge_method. I don't use pkce for confidential clients, only for public ones. So i need to set pkce_code_challenge_method default value to an empty string but i can't :

expected pkce_code_challenge_method to be one of [plain S256], got

I can add this empty value to fix the problem and make a PR if you're OK.

dlechevalier commented 4 years ago

I need this fix fast so i did a PR in the morning: https://github.com/mrparkers/terraform-provider-keycloak/pull/198 I just need to fix the test and rebase.

mrparkers commented 4 years ago

Hi @dlechevalier, thanks for the issue.

You can omit the pkce_code_challenge_method attribute entirely, and it will end up being an empty string on the Keycloak server. I just tested this on Keycloak 8.0.0 using the latest version of this provider.

Can you give that a shot and see if it works for you?

dlechevalier commented 4 years ago

Hi, i've tried with keycloak 7.0.

If not specified, pkce_code_challenge_method is set to an empty string and there's no problem.

But if i set pkce_code_challenge_method to S256 using the GUI (some people in my team do it this way) and then update the client with the provider, pkce_code_challenge_method is set back to empty if not defined in the provider config. I just want to set the default value as empty in my openid_client custom module and specify S256 only for those who need PKCE (public clients). For now, i can only set the default value to "S256" or "plain".

mrparkers commented 4 years ago

if i set pkce_code_challenge_method to S256 using the GUI (some people in my team do it this way) and then update the client with the provider, pkce_code_challenge_method is set back to empty if not defined in the provider config

I think this behavior will remain even if the provider supported an empty string for this field. Terraform wants to be the authoritative source for configuration, so if you define a keycloak_openid_client with a specific configuration, it will try to ensure that this configuration is always up to date, and will undo manual changes made in the GUI in order to achieve this.

I just want to set the default value as empty in my openid_client custom module and specify S256 only for those who need PKCE (public clients). For now, i can only set the default value to "S256" or "plain".

If you use HCL2 (Terraform 0.12.x or higher), you can achieve this with the null type. By setting pkce_code_challenge_method = null, it will behave as if the attribute was not specified at all, resulting in an empty string.

That being said, I understand that the GUI provides a literal empty string as an option in the dropdown for this configuration, so I think it's okay to support that in the provider if you'd still like to do that.

Just let me know how you'd like to proceed.

dlechevalier commented 4 years ago

Thanks for your answer. I use terraform 0.11 for now, but thanks for the tip! My last commit pass the CI successfully, if you agree with my work i let you valid the pull request: https://github.com/mrparkers/terraform-provider-keycloak/pull/198